It's just a matter of weeks before iOS 7.1 gets released but here's something alarming for iOS 7.0.x users. A bug in the iOS lets anyone disable the Find My iPhone feature (within iCloud) without requiring a password authentication.
As to why this is so scary is that Find My iPhone is the only way you can track a stolen or lost iPhone and if someone disables it, you can forget about getting back the iPhone at any cost. The bug seems to have been fixed in iOS 7.1 but then that comes later. For users running iOS 7 and 7.0.4, here's a fix (along with more information on the security hole).
Tech blog Macrumors found this video demonstration of this gaping iOS 7 security bug that will allow anyone with an access to the Settings app on the iPhone to disable Find My iPhone without having to authenticate with iCloud password.
Security flaw in Find My iPhone iCloud Lock BYPASS
Find My iPhone is the only feature that lets you track your iPhone in case it's lost or stolen. You can track the GPS of your iPhone, it's recent location (in almost real-time) and lock or erase the contents of the iPhone remotely. But all that is only when it's enabled within iClouds part of the Settings app.
When you disable Find My iPhone, you will be asked to authenticate. With the bug, though, anyone attempting to disable Find My iPhone will be able to do so without having to enter the password. Briefly, it's just about entering a random password in iCloud → Account. This will throw an error message. Then remove the Description part and tap Done. There is no error message now. Head back one level and you should find that Find My iPhone is disabled.
What's worse is that after this step, if you delete the iCloud account, it just deletes without asking for a password.
Fixing this Security Flaw:
Given the seriousness of Find My iPhone, you might want to make sure no one gets to change your account settings even if they have gained access to your passcode. Here's how:
- Open the Settings app
- Go to General
- Tap on Restrictions
- If it's disabled, tap on Enable Restrictions
- Give a good, secure password for restrictions (this is NOT your passcode)
- Scroll right down to the Allow Changes section and tap on Accounts
- Tap on Don't Allow Changes
Head back to Settings and you'll find that iCloud preference is disabled. iCloud works but you can't do any changes to it.
There are some points made like even if the thief gets to delete iCloud and disable Find My iPhone, he might not be able to activate the iPhone after an upgrade or restore. I think that discussion comes later and is actually pretty useless. First, let's make sure our iPhones are traceable even when they're lost and not compromised because of an iOS 7 bug.